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DETAILED ACTION 



Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 



2. Claims 1-6, 9, 12, 15, and 18-22 are rejected under 35 U.S.C. 102(b) as being 
anticipated by Ateniese et al (hereinafter Ateniese), "Some Open Issues and New 
Directions in Group Signatures". 

As per claims 1 and 18, Ateniese discloses a participant subsystem (see 
for example; signer page 207 section 10) that is authorized to anonymously 
participate in a plurality of sessions using secret information provided by a 
manager subsystem (see for example; group manager, page 197 section 2) and 

a reception subsystem that determines whether it is acceptable for the 
participant subsystem to participate in a session (see for example; verify, page 
207 section 10), wherein 

the participant subsystem comprises: an anonymous signing section for 
authorizing individual data using the secret information depending on session- 
related information (see for example; one time base g, page 207 section 10) to 
produce anonymous participation data with anonymous signature (see for 
example; group signature, page 207 section 10) 



States. 
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and the reception subsystem comprises; 

an anonymous signature determining section for determining whether 
received data its anonymous participation data (see for example; verify, page 
207 section 10) with anonymous signature authorized by the participant 
subsystem; and a sender match determining section for determining whether 
anonymous signatures of arbitrary two pieces (Vi )i( , V 2 , j ) of anonymous 
participation data are signed by an identical participant subsystem (see for 
example; same g must be used, page 207 section 10). 

As per claims 2 and 19, Ateniese discloses the claimed limitations as 
described above (see claim 1). Ateniese further discloses wherein the 
anonymous signature includes data that is generated by a predetermined 
expression (see for example; group signature page 205 paragraph 2 and page 
207 section 10) using the session-related information and the secret information, 
wherein the sender match determining section checks the data included in the 
anonymous signature of received anonymous participation data (see for 
example; check the uniqueness of z, page 207 section 10 paragraph 5). 

As per claims 3 and 20, Ateniese discloses the claimed limitations as 
described above (see claim 2). Anteniese further discloses raising a session 
dependent base (g) to a power that is dependent on the secret information (see 
for example; page 204 paragraphs 3-4 and page 207 section 10). 
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As per claim 4, Ateniese discloses the claimed limitations as described 
above (see claim 1). Ateniese further discloses the anonymous signing section 
authorizes the individual data based on a group signature scheme (see for 
example; page 198-199 section 3). 

As per claim 5, Ateniese discloses the claimed limitations as described 
above (see claim 1 ). As for an escrowed identity scheme, Ateniese further 
discloses being able to identify the signer by a third party (group manager) and 
thus an escrowed identity scheme (see for example; OPEN, page 197). 

As per claims 6 and 21, Ateniese discloses the claimed limitations as 
described above (see claim 1 ). Ateniese further discloses a generator for 
creating a session-dependent generator depending on the session related 
information (see for example; trusted entity to generate, page 210 section 10.3); 

A group signing section for signing the individual data using the session- 
dependent generator and the secret information to produce anonymous 
participation data (see for example; group signature over a message, page 104; 
and one-time base page 207 section 10), wherein the anonymous participation 
data includes data obtained by raising the session-dependent generator to a 
power determined by the secret information (see for example; Vi := ... , page 
204); and 
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a linkage data generating section for generating linkage data indicating a 
relationship among the session-dependent generator and a generator 
determined by the individual data and/or the session related information (see for 
example; check the uniqueness of z, page 207 section 10 paragraph 5). Such 
generator for z pertaining to the session (one time base) must be present to 
produce the value. 

As per claims 9 and 22, similar limitations are described in claims 6 and 
21 above and are rejected under the same rationale. 

As per claim 12, Ateniese discloses the claimed limitations as described 
above (see claim 1 ). Ateniese further discloses a generator for creating a 
session-dependent generator depending on the session related information (see 
for example; trusted entity to generate, page 210 section 10.3); 

A escrow identity signing section for signing the individual data using the 
session-dependent generator and the secret information to produce anonymous 
participation data (see for example; group signature over a message, page 104; 
and one-time base page 207 section 10), wherein the anonymous participation 
data includes data obtained by raising the session-dependent generator to a 
power determined by the secret information (see for example; Vi := page 



204); and 
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a linkage data generating section for generating linkage data indicating a 
relationship among the session-dependent generator and a generator 
determined by the individual data and/or the session related information (see for 
example; check the uniqueness of z, page 207 section 10 paragraph 5). Such 
generator for z pertaining to the session (one time base) must be present to 
produce the value. 

Ateniese further discloses that such signing can recover a signors identity 
by a third part, thus an escrow identity signing section (see for example; OPEN, 
page 197). 

As per claim 15, similar limitations are recited in claim 13 above and are 
rejected under the same rationale. 



3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



4. Claims 1-6, 9, 12, 15 and 18-22 are rejected under 35 U.S.C. 103(a) as being 



Claim Rejections - 35 USC § 103 



unpatentable over Ramzan et al (hereinafter Ramzan), "Group Blind Digital Signatures: 
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A Scalable Solution to Electronic Cash", in view of Ateniese et al (hereinafter Ateniese), 
"Some Open Issues and New Directions in Group Signatures". 

As per claims 1 and 18, Ramzan discloses a participant subsystem (see 
for example; Alice page 57 paragraph 3) that is authorized to anonymously 
participate in a plurality of sessions using secret information provided by a 
manager subsystem, (see for example; LRF, page 57 paragraphs 3-4) and 

a reception subsystem that determines whether it is acceptable for the 
participant subsystem to participate in a session (see for example; VSF page 58), 
wherein 

the participant subsystem comprises: an anonymous signing section for 
authorizing individual data using the secret information (see for example; see for 
example; page 57 Voting section and page 80-81 section A.3.3) to produce 
anonymous participation data with anonymous signature (see for example; page 
57 section Voting and page 80-81 section A.3.3) 

and the reception subsystem comprises; 

an anonymous signature determining section for determining whether 
received data is anonymous participation data with anonymous signature 
authorized by the participant subsystem (see for example; VSR page 58); and a 
sender match determining section for determining whether anonymous 
signatures of arbitrary two pieces (Vi and V 2 ) of anonymous participation data 
are signed by an identical participant subsystem (see for example; serial number 
page 58, and page 80). 
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Ramzan does not explicitly teach the secret information pertaining being 
session dependent, Ateniese discloses means of anonymous participation 
employing group signatures wherein the secret information is session dependent 
(see for example; page 207 section 10). The base "g" used for producing the 
signature is used in both Ramzan (see for example; page 80 In 2-4) and 
Ateniese. However, Ateniese modifies the use of "g" such that it session 
dependent (see for example; page 207 section 10) such that compositional 
integrity is upheld for that one-time participating, thus being a valid for one 
session (see for example; page 206 paragraphs 3-7). It would have been 
obvious to one of ordinary skill in the art at the time of the applicant's invention to 
combine the teachings of Ateniese within the system of Ramzan because it 
would have added functionality and compositional integrity. 

As per claims 2 and 19, Ramzan-Ateniese discloses the claimed 
limitations as described above (see claim 1 ). Ateniese further discloses wherein 
the anonymous signature includes data that is generated by a predetermined 
expression (see for example; group signature page 205 paragraph 2 and page 
207 section 10) using the session-related information and the secret information, 
wherein the sender match determining section checks the data included in the 
anonymous signature of received anonymous participation data (see for 
example; check the uniqueness of z, page 207 section 10 paragraph 5). 
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As per claims 3 and 20, Ramzan-Ateniese discloses the claimed 
limitations as described above (see claim 2). Anteniese further discloses raising 
a session dependent base (g) to a power that is dependent on the secret 
information (see for example; page 204 paragraphs 3-4 and page 207 section 



As per claim 4, Ramzan-Ateniese discloses the claimed limitations as 
described above (see claim 1 ). Ramzan further discloses the anonymous 
signing section authorizes the individual data based on a group signature 
scheme (see for example; group blind digital signatures, abstract). 

As per claim 5, Ramzan-Ateniese discloses the claimed limitations as 
described above (see claim 1 ). As for an escrowed identity scheme, Ramzan 
further discloses being able to identify the signer by a third party (group 
manager) and thus an escrowed identity scheme (see for example; page 81 
section A.3.4). 

As per claims 6 and 21 , Ramzan-Ateniese discloses the claimed 
limitations as described above (see claim 1 ). Ramzan further discloses a group 
signing section for signing the individual data using the secret information to 
produce anonymous participation data (see for example; pages 80-81 section 



10). 
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A.3.3); and a linkage data generating section for generating linkage data(see for 
example; serial number pages 57-58). 

Ramzan does not explicitly teach a generator creating section for creating 
a session-dependent generator depending on the session related information 
and group signing using the session dependent generator and the secret 
information. Ateniese further discloses such a generator for group signing to 
produce anonymous participation data, wherein the anonymous participation 
data includes data obtained by raising the session-dependent generator to a 
power determined by the secret information (see for example; page 207 section 
10) (see for example; page 207 section 10). The common random, one-time 
base must be generated by some means, thus a session-dependent generator is 
inherent to the teachings of Ateniese. Ateniese further discloses such session- 
dependent generator to be used for signing and a linkage data generating 
section for generating linkage data indicating a relationship among the session- 
dependent generator and a generator determined by the individual data and/or 
the session related information (see for example; z, page 207 section 10 
paragraph 5). Such use of session-dependent information allows greater 
compositional integrity (see for example; Ateniese page 206).t It would have 
been obvious to one of ordinary skill in the art at the time of the applicant's 
invention to combine the teachings of Ateniese within the system of Ramzan 
because it would have added functionality and compositional integrity. 
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As per claims 9 and 22, Ramzan-Ateniese discloses the claimed 
limitations as described above (see claim 1 ). Ramzan further discloses a group 
signing section for signing the individual data using the secret information to 
produce anonymous participation data (see for example; pages 80-81 section 
A.3.3). 

Ramzan does not explicitly teach a generator creating section for creating 
a session-dependent generator depending on the session related information 
and group signing using the session dependent generator and the secret 
information. Ateniese further discloses such a generator for group signing to 
produce anonymous participation data, wherein the anonymous participation 
data includes data obtained by raising the session-dependent generator to a 
power determined by the secret information (see for example; page 207 section 
10). The common random, one-time base must be generated by some means, 
thus a session-dependent generator is inherent to the teachings of Ateniese. 
Such use of session-dependent information allows greater compositional integrity 
(see for example; Ateniese page 206).t It would have been obvious to one of 
ordinary skill in the art at the time of the applicant's invention to combine the 
teachings of Ateniese within the system of Ramzan because it would have added 
functionality and compositional integrity. 

As per claim 12, Ramzan-Ateniese discloses the claimed limitations as 
described above (see claim 1). Ramzan further discloses an escrow identifying 
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section for signing the individual data using the secret information to produce 
anonymous participation data (see for example; pages 80-81 section A.3.3); and 
a linkage data generating section for generating linkage data(see for example; 
serial number pages 57-58). Ramzan discloses that the signing can also be 
identified by a third party, thus an escrow identifying signing (see for example; 
page 81 section A.3.4) 

Ramzan does not explicitly teach a generator creating section for creating 
a session-dependent generator depending on the session related information 
and group signing using the session dependent generator and the secret 
information. Ateniese further discloses such a generator for signing to produce 
anonymous participation data, wherein the anonymous participation data 
includes data obtained by raising the session-dependent generator to a power 
determined by the secret information (see for example; page 207 section 10) 
The common random, one-time base must be generated by some means, thus a 
session-dependent generator is inherent to the teachings of Ateniese. Ateniese 
further discloses such session-dependent generator to be used for signing and a 
linkage data generating section for generating linkage data indicating a 
relationship among the session-dependent generator and a generator 
determined by the individual data and/or the session related information (see for 
example; z, page 207 section 10 paragraph 5). Such use of session-dependent 
information allows greater compositional integrity (see for example; Ateniese 
page 206). It would have been obvious to one of ordinary skill in the art at the 
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time of the applicant's invention to combine the teachings of Ateniese within the 
system of Ramzan because it would have added functionality and compositional 
integrity. 

As per claim 15, similar limitations are recited in claim 13 above and are 
rejected under the same rationale. 

5. Claims 7-8 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Ateniese et al (hereinafter Ateniese), "Some Open Issues and New Directions in Group 
Signatures" in view of Camenisch et al (hereinafter Camenisch), "Efficient Group 
Signatures Schemes for Large Groups, and further in view of Grabbe, "Introduction to 
Digital Cash". 

As per claim 7, Ateniese discloses the claimed limitations as described 
above (see claim 6). Ateniese further discloses a group-signing scheme 
suggested by Camenisch (see for example; CS97 page 199 and section 10 page 
207). Only the "sign" procedure is involves a new initial stage, taking into 
account a one-time base (see for example; section 10 page 207). As per the 
secret information being represented by (x,y,v) that satisfies v=(y+8) 1/e , where 
y=a x mod n, n is a product of two prime numbers as used in the RSA 
cryptography, g is a generator that generates a cyclic group of order n, a is an 
integer mutually prime to n, e is an integer mutually prime to the Euler number of 
n, and 5 is a constant other than 1, Camenisch discloses such secret information 
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as part of the join process of basic group signatures (see for example; page 417- 
417) of which Ateniese relies on. 

Ateniese further discloses a session dependent generator gA 
corresponding to a session (see for example; section 10 page 207 and section 
10.3 page 210; the base "g" is generated), 

the group signing section sets z=g A y (see for example; page 204) and 
generates a proof statement 

V x = SKLOGLOG(z,g A ,a)[a : z =g A (a a )](l) (see for example; page 204) 

providing the knowledge of a a satisfying z=g A {aa) (see for example; x, 
page 204) and a second proof statement 

V 2 =SmOOTLOG(z*g A \g A ,e)[/3:z*g A b = g A tn ]Q) (see for example V2; 
page 204) 

providing the knowledge of p satisfying z*g A b =g A i ^' ) (see for example; 
page 204). 

As for a linkage data generating section setting zi=g m y and generating a 
third proof statement V 3) Ateniese discloses an alternative linking step by 
generating a third proof statement V 3 (see for example; page 205), however the 
linkage step is for linking between different groups and not for the generator 
dependent on individual data g m . However, Ateniese further discloses that an 
identity of the person can be found by the group manager (see for example page 
1 97 and page 205). Grabbe further discloses a means of anonymous signature 
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wherein the notion of "restrictive blind" signature, and the "Schnorr identification 
scheme" are introduced for privacy protection (see for example; page 3 
paragraph 4). Ateniese further suggests a linking in which the group manager is 
able to identify the signer (see for example page 1 97). Grabbe further discloses 
use of a means wherein linkage data is generated (Schnorr identification) such 
that a user's identity is revealed (see page 3 paragraphs 4-6). Such use of a 
geometric trap for being able to identify users based on a conditional blinding 
would have been realized by one of ordinary skill in the art at the time of the 
applicant's invention and applied to the linkage step of Ateniese. It would have 
been obvious to one of ordinary skill in the art at the time of the applicant's 
invention to combine the teachings of Grabbe within the Ateniese-Camenisch 
combination because it would have increased security by prohibiting double 
voting or additional use of the signature during a session. 

As for the anonymous participation data being defined by as (A, M, z, zi, 
Vi, V 2 , V3), one of ordinary skill in the art would have recognized such data 
through the existing data of Ateniese (see for example; page 207 section 10) and 
the added data of Grabbe (see for example; page 3 paragraph 4). 

As per claim 8, Ateniese-Camenisch-Grabbe discloses the claimed 
limitations as described above. Ateniese further discloses the anonymous 
signature section checks the anonymous participation data to determine whether 
received data is anonymous participation data with the anonymous signature 
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authorized by the participant system (see for example; verify page 207 section 
10), and 

the sender match determining section checks z of the anonymous 
participation data to determine whether anonymous signatures of arbitrary two 
pieces of anonymous participation data are signed by an identical participant 
system (see for example; duplicate z, page 207 section 10). 

6. Claims 10-11 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Ateniese et al (hereinafter Ateniese), "Some Open Issues and New Directions in Group 
Signatures" in view of Camenisch et al (hereinafter Camenisch), "Efficient Group 
Signatures Schemes for Large Groups 

As per claim 10, Ateniese discloses the claimed limitations as described 
above (see claim 6). Ateniese further discloses a group-signing scheme 
suggested by Camenisch (see for example; CS97 page 199 and section 10 page 
207). Only the "sign" procedure is involves a new initial stage, taking into 
account a one-time base (see for example; section 10 page 207). As per the 
secret information being represented by (x,y,v) that satisfies v=(y+5) 1/e , where 
y=a x mod n, n is a product of two prime numbers as used in the RSA 
cryptography, g is a generator that generates a cyclic group of order n, a is an 
integer mutually prime to n, e is an integer mutually prime to the Euler number of 
n, and 5 is a constant other than 1, Camenisch discloses such secret information 
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as part of the join process of basic group signatures (see for example; page 417- 
417) of which Ateniese relies on. 

Ateniese further discloses a session dependent generator g A 
corresponding to a session (see for example; section 10 page 207 and section 
10.3 page 210; the base "g" is generated), 

the group signing section sets z=g A y (see for example; page 204) and 
generates a proof statement 

V x = SKLOGLOG(z,g A ,a)[a : z =g A (a a )](i) (see for example; page 204) 

providing the knowledge of a a satisfying z =gA (aa) (see for example; x, 
page 204) and a second proof statement 

V 2 =SKROOTLOG(z*g A b ,g A ,e)[{3:z*g A b = g A in ](l) (see for example V2; 
page 204) 

providing the knowledge of ft satisfying z*g A h = g A in (see for example; 
page 204). 

As for the anonymous participation data being defined by as (A, m, z, zi, 
Vi, V 2 , V 3 ), one of ordinary skill in the art would have recognized such data 
through the existing data of Ateniese (see for example; page 207 section 10). 

As per claim 1 1 , Ateniese-Camenisch discloses the claimed limitations as 
described above. Ateniese further discloses the anonymous signature section 
checks the anonymous participation data to determine whether received data is 
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anonymous participation data with the anonymous signature authorized by the 
participant system (see for example; verify page 207 section 10), and 

the sender match determining section checks z of the anonymous 
participation data to determine whether anonymous signatures of arbitrary two 
pieces of anonymous participation data are signed by an identical participant 
system (see for example; duplicate z, page 207 section 10). 

7. Claims 13-14 and 16-17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Ateniese et al (hereinafter Ateniese), "Some Open Issues and New 
Directions in Group Signatures" in view of Camenisch et al (hereinafter Camenisch), 
"Efficient Group Signatures Schemes for Large Groups, and further in view of Kilian, 
"Identity Escrow". 

As per claim 13, Ateniese discloses a group signing signature scheme as 
described above (see claim 12) and further discloses identity escrowing based 
on the group manager (see for example; Introduction, page 198). However, 
Kilian suggests that to achieve the a proper identity escrow system, the roles of 
the issuer and escrow agency must be split (see for example; page 175 
paragraph 2). 

Ateniese further discloses a session dependent generator gA 
corresponding to a session (see for example; section 10 page 207 and section 
10.3 page 210; the base "g" is generated), 
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the escrow identifying section sets z (see for example; page 204). As for 
generating a first proof statement 

V l = SKROOTLOG(z a ,g A ,e)[a : z a =g> a )](l) (see for example; page 204) 

O e ) 

proving the knowledge satisfying of satisfying z a =gA (see for 

example; x, page 204), Ateniese further discloses such generation of a proof 
statement using SKLOGLOG (see for example; page 204). Ateniese does not 
explicitly teach the use of SKROOTLOG as in generating a first proof statement. 
Camenisch further discloses the use SKROOTLOG in place of SKLOGLO for 
generating proof statements as a more efficient alternative to generating such 
statements (see for example; page 420 section 6). It would have been obvious 
to one of ordinary skill in the art at the time of the applicant's invention to use 
such SKROOTLOG in place of SKLOGLOG in generation of signatures because 
it would have provided a means of generating proof statements in a more 
efficient manner. 

As for a second proof statement by setting z b S A 

V 2 = SKROOTLOG(z b ,g A ,e)[j3 : z b = g/'^il) (see for example V2; page 

204) 

proving the knowledge of y? satisfying z b = gj^ (see for example; page 

204), Ateniese discloses a means of generating proof statements for proving the 
knowledge of a and p respectively (see for example; page 204). Camenisch 
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further discloses such proof statements generated using SKROOTLOG. 
Ateniese-Camenisch does not explicitly teach a means of generating secret 
information being represented by (a,b) that satisfies b= (a e -5)1/e, mod n, where 
n is a product of two prim numbers as used in the RSA cryptography, g is a 
generator that generates a cyclic group of order n, a is an integer mutually prime 
to n, e is an integer mutually prime to the Euler number of n, and 6 is a constant 
other than 1, Kilian discloses such secret information for creating a separated 
escrow identity group signature scheme (see for example; page 177 paragraphs 
1-2). Ateniese-Camenisch discloses the anonymous group signing as described 
above see claim 12) and is silent on details of a proper identity escrow system. 
Kilian further discloses the importance of separating roles of issuing and identity 
escrowing from the group manager of Ateniese (see for example; page 1 75 
paragraphs 1-2). Ateniese discloses that the first and second proof statements 
are generated based on a computation of z such that the statements prove the 
knowledge of secrets respectively (see for example; page 204). Such generation 
of a first and second proof statements using corresponding generation of z based 
on such secret information of Kilian would have been realized by one of ordinary 
skill in the art. It would have been obvious to one of ordinary skill in the art at the 
time of the applicant's invention to combine the identity-escrow certificates of 
Kilian within the Ateniese-Camenisch combination because it would have added 
the security of a proper identity escrow system to the group signature system of 
Ateniese-Camenisch. 
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As for a linkage data generating section setting zi=g m y and generating a 
third proof statement V 3 , Ateniese discloses an alternative linking step by 
generating a third proof statement V 3 (see for example; page 205), however the 
linkage step is for linking between different groups and not for the generator 
dependent on individual data g m . Kilian further discloses a need for some linking 
based on the identification data of the signer (see for example; page 179 
paragraphs 5-7). One of ordinary skill in the art at the time of the applicant's 
invention would have realized such linkage data generating in creating the third 
proof statement of Ateniese-Camenisch for the session-dependent data of 
Ateniese-Camenisch and identification data of Kilian. It would have been 
obvious to one of ordinary skill in the art to provide such linkage because it would 
have allowed a higher security by linking an identifier to the session-based 
signature so as to be able to identify the person by a trusted third party. 

As per claim 14, Ateniese-Camenisch-Kilian discloses the claimed 
limitations as described above. Ateniese further discloses the anonymous 
signature section checks the anonymous participation data to determine whether 
received data is anonymous participation data with the anonymous signature 
authorized by the participant system (see for example; verify page 207 section 
10), and 

the sender match determining section checks z of the anonymous 
participation data to determine whether anonymous signatures of arbitrary two 
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pieces of anonymous participation data are signed by an identical participant 
system (see for example; duplicate z, page 207 section 10). 



As per claim 16, Ateniese discloses a group signing signature scheme as 
described above (see claim 12) and further discloses identity escrowing based 
on the group manager (see for example; Introduction, page 198). However, 
Kilian suggests that to achieve the a proper identity escrow system, the roles of 
the issuer and escrow agency must be split (see for example; page 175 
paragraph 2). 

Ateniese further discloses a session dependent generator gA 
corresponding to a session (see for example; section 10 page 207 and section 
10.3 page 210; the base "g" is generated), 

the escrow identifying section sets z (see for example; page 204). As for 
generating a first proof statement 

V l = SKROOTLOG(z a ,g A ,e)[a : z a =g A (a a )](l) (see for example; page 204) 

proving the knowledge satisfying of satisfying z a -gA (see for 

example; x, page 204), Ateniese further discloses such generation of a proof 
statement using SKLOGLOG (see for example; page 204). Ateniese does not 
explicitly teach the use of SKROOTLOG as in generating a first proof statement. 
Camenisch further discloses the use SKROOTLOG in place of SKLOGLO for 
generating proof statements as a more efficient alternative to generating such 
statements (see for example; page 420 section 6). It would have been obvious 
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to one of ordinary skill in the art at the time of the applicant's invention to use 
such SKROOTLOG in place of SKLOGLOG in generation of signatures because 
it would have provided a means of generating proof statements in a more 
efficient manner. 

_ (b e ) 

As for a second proof statement by setting z b ~& A 

V 2 = SKROOTLOG(z b ,g A ,e)[j3 : z b = (see for example V2; page 

204) 

proving the knowledge of p satisfying z b = g A (n (see for example; page 

204), Ateniese discloses a means of generating proof statements for proving the 
knowledge of a and p respectively (see for example; page 204). Camenisch 
further discloses such proof statements generated using SKROOTLOG. 
Ateniese-Camenisch does not explicitly teach a means of generating secret 
information being represented by (a,b) that satisfies b= (ae-8)1/e, mod n, where 
n is a product of two prim numbers as used in the RSA cryptography, g is a 
generator that generates a cyclic group of order n, a is an integer mutually prime 
to n, e is an integer mutually prime to the Euler number of n, and 5 is a constant 
other than 1, Kilian discloses such secret information for creating a separated 
escrow identity group signature scheme (see for example; page 177 paragraphs 
1-2). Ateniese-Camenisch discloses the anonymous group signing as described 
above see claim 12) and is silent on details of a proper identity escrow system. 
Kilian further discloses the importance of separating roles of issuing and identity 
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escrowing from the group manager of Ateniese (see for example; page 175 
paragraphs 1-2). Ateniese discloses that the first and second proof statements 
are generated based on a computation of z such that the statements prove the 
knowledge of secrets respectively (see for example; page 204). Such generation 
of a first and second proof statements using corresponding generation of z based 
on such secret information of Kilian would have been realized by one of ordinary 
skill in the art. It would have been obvious to one of ordinary skill in the art at the 
time of the applicant's invention to combine the identity-escrow certificates of 
Kilian within the Ateniese-Camenisch combination because it would have added 
the security of a proper identity escrow system to the group signature system of 
Ateniese-Camenisch. 

As per claim 17, Ateniese-Camenisch-Kilian discloses the claimed 
limitations as described above. Ateniese further discloses the anonymous 
signature section checks the anonymous participation data to determine whether 
received data is anonymous participation data with the anonymous signature 
authorized by the participant system (see for example; verify page 207 section 
10), and 

the sender match determining section checks z of the anonymous 
participation data to determine whether anonymous signatures of arbitrary two 
pieces of anonymous participation data are signed by an identical participant 
system (see for example; duplicate z, page 207 section 10). 
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Conclusion 



8. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Killian et al, US Patent 5,495,532, discloses an anonymous voting system. 

Jakobsson et al, US Patent 6,636,969 discloses an anonymous signature system 
that is traceable. 

Franklin et al, US Patent 6,055,518, discloses an anonymous electronic bidding 
system. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Allen S. Wu whose telephone number is 703-305-0708. 
The examiner can normally be reached on Monday-Friday 9am-5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 703-305-4393. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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